AWS cognito documentation change
Summary
Added CloudFormation tagging permissions section detailing required IAM permissions for tag propagation during stack operations.
Security assessment
Documents required IAM permissions (TagResource/UntagResource) for secure CloudFormation operations. While related to access control, this is operational guidance rather than vulnerability mitigation. It enhances security documentation by clarifying permission requirements.
Diff
diff --git a/cognito/latest/developerguide/tagging.md b/cognito/latest/developerguide/tagging.md index 799472f34..8b3853680 100644 --- a//cognito/latest/developerguide/tagging.md +++ b//cognito/latest/developerguide/tagging.md @@ -7 +7 @@ -Supported resourcesTag restrictionsManaging tags with the consoleAWS CLI examplesAPI actions +Supported resourcesTag restrictionsManaging tags with the consoleAWS CLI examplesAPI actionsCloudFormation tagging @@ -253,0 +254,28 @@ Use the following API actions to assign, view, and remove tags for identity pool +## CloudFormation tagging permissions + +When you create or update Amazon Cognito user pool or identity pool resources with AWS CloudFormation, CloudFormation can propagate stack-level tags and system-level tags to your resources. To permit this tag propagation, the IAM principal that deploys the stack must have tagging permissions in addition to the resource-creation permissions. + +For example, to create a user pool with `cognito-idp:CreateUserPool`, the caller must also have the following permissions: + + * `cognito-idp:TagResource` + + * `cognito-idp:UntagResource` + + * `cognito-idp:ListTagsForResource` + + + + +Similarly, to create an identity pool with `cognito-identity:CreateIdentityPool`, the caller must also have the following permissions: + + * `cognito-identity:TagResource` + + * `cognito-identity:UntagResource` + + * `cognito-identity:ListTagsForResource` + + + + +Without these permissions, stack creation or update can fail when CloudFormation attempts to apply tags to the resource. If you see an access-denied error related to tagging during a stack operation, verify that your IAM policy includes these permissions. +